top of page
Search

Critical Exploitation Technique in nearly every EDR

Unveiling a Critical Exploitation Technique: Introducing PolyDrop

At Kaiju Security, we are committed to keeping you informed about the latest cybersecurity threats. Today, we're excited to share insights into a new exploitation technique, developed in collaboration with our team, and a new tool called PolyDrop, which exposes significant gaps in current antivirus and endpoint detection systems. 

Bring-Your-Own-Script-Interpreter (BYOSI) Exploitation

By abusing trusted applications, attackers can deliver a compatible script interpreter along with malicious source code to Windows, Mac, or Linux systems. Once both the interpreter and the malicious code are on the target system, the source code can be executed via the trusted script interpreter, bypassing many security measures.

Introducing PolyDrop: A Multi-Language Exploitation Tool

PolyDrop is a powerful tool we've helped developed with the MalwareSupportGroup (https://x.com/mal_supp_grp) which is a collective of seasoned malware developers who have grown weary of the endless self-congratulatory hype surrounding the latest and greatest EDR solutions, which often seem more focused on burning through budgets than providing real security. PolyDrop leverages thirteen scripting languages to perform BYOSI attacks. These languages include:


  • TCL

  • PHP

  • Crystal

  • Julia

  • Golang

  • Dart

  • Dlang

  • Vlang

  • Node.js

  • Bun

  • Python

  • Fsharp

  • Deno




  • AV and EDR Evasion: Our research shows (by Research we mean we have bypassed nearly every EDR with this method during our Red Teams) that these languages are wholly ignored by many antivirus vendors, including #MicrosoftDefender. This oversight allows the execution and establishment of reverse shells without detection.

  • Widespread Vulnerability: This exploitation technique is currently undetectable by most mainstream Endpoint Detection and Response (EDR) vendors.


Vendor Vulnerabilities:

A total of 14 vendors cannot (or simply don't) scan or process interpreted scripts, including:



Additionally, 54 vendors are seemingly unable to accurately identify malicious interpreted scripts, including:


  • Acronis (Static ML), AhnLabV3, ALYac, AntiyAVL, Arcabit, Avira (no cloud), Baidu, BitDefender, BitDefenderTheta, ClamAV, CMC, CrowdStrikeFalcon, Cybereason, Cynet, DrWeb, Emsisoft, eScan, ESETNOD32, Fortinet, GData, Gridinsoft (no cloud), Jiangmin, K7AntiVirus, K7GW, Kaspersky, Lionic, Malwarebytes, MAX, MaxSecure, NANOAntivirus, Panda, QuickHeal, SangforEngineZero, Skyhigh (SWG), Sophos, SUPERAntiSpyware, Symantec, TACHYON, TEHTRIS, Tencent, Trellix (ENS), Trellix (HX), TrendMicro, TrendMicroHouseCall, Varist, VBA32, VIPRE, VirIT, ViRobot, WithSecure, Xcitium, Yandex, Zillya, ZoneAlarmByCheckPoint, Zoner


Given the oversight in identifying malicious interpreted scripts, we have found that the 13 identified languages also escape detection by these vendors, including #CrowdStrike, #SentinelOne, #PaloAltoNetworks, and #Fortinet

Our findings confirm that at least, #MicrosoftDefender considers these malicious payloads as plaintext.

Kaiju Security and the MalwareSupportGroup (https://x.com/mal_supp_grp) worked to develop this novel bypass technique and is currently working on the tool for a release this week, yes of course, just in time for DefCon. This underscores the critical importance of Red Teams, far beyond just a simple pentest. The inability of leading antivirus and EDR vendors to detect these payloads highlights the need for advanced threat detection and testing strategies. 

Learn more and protect your systems: Stay ahead of emerging threats with Kaiju Security by visiting our website, contact us at info@kaiju-security.com or DM me here on linkedin!

Please do us a favor and share with your networks so we can put some pressure on these companies.

Stay secure,

Kaiju Security

6 views0 comments

Comments


bottom of page